What are Privacy Manifests

Apple requires:

Apps uploaded to App Store Connect must be built with Xcode 15 for iOS 17, iPadOS 17, tvOS 17, or watchOS 10, starting April 29, 2024.

And adopts new requirements for some commonly used SDKs:

Starting in spring 2024, you must include the privacy manifest for any SDK listed below when you submit new apps in App Store Connect that include those SDKs, or when you submit an app update that adds one of the listed SDKs as part of the update.

Signatures are also required in these cases where the listed SDKs are used as binary dependencies.

Any version of a listed SDK, as well as any SDKs that repackage those on the list, are included in the requirement.

And the latest timeline for privacy manifests.

Starting May 1: You’ll need to include approved reasons for the listed APIs used by your app’s code to upload a new or updated app to App Store Connect. If you’re not using an API for an allowed reason, please find an alternative. And if you add a new third-party SDK that’s on the list of commonly used third-party SDKs, these API, privacy manifest, and signature requirements will apply to that SDK. Make sure to use a version of the SDK that includes its privacy manifest and note that signatures are also required when the SDK is added as a binary dependency.

This is the first part of a series on Privacy Manifests.

  1. What are Privacy Manifests
  2. How to Create a Privacy Manifest in Your iOS App
  3. How to Add a Privacy Manifest to SDK
  4. All 86 Requiring SDKs and Status in Supporting Privacy Manifest
  5. How to Generate Privacy Report and Update Privacy Nutrition Labels

What are Privacy Manifests

The privacy manifest is one of Apple's iOS 17 Privacy features.

Apps and third-party SDKs — distributed as XCFrameworks, Swift packages, or framework bundles — can contain a privacy manifest file, named PrivacyInfo.xcprivacy.
The privacy manifest is a property list that records the types of data collected by your app or third-party SDK, and the required reasons APIs your app or third-party SDK uses. For each type of data your app or third-party SDK collects and category of required reasons API it uses, record the reasons in your privacy manifest file.

There are several critical pieces of information that must be reported by all apps and SDKs in the privacy manifest.

Data Usage Categories

The privacy manifest file must include the following keys regarding data collection.

data-collection-tip

  • 1. NSPrivacyTracking: true or false
    whether your app or third-party SDK uses App Tracking Transparency framework to collect data for tracking purposes.

  • 2. NSPrivacyTrackingDomains: [string]
    The list of domains to which your app or third-party SDK connects that engage in tracking activities.

  • 3. NSPrivacyCollectedDataTypes: [dictionary]
    An array of dictionaries that describes the data types your app or third-party SDK collects.

    Each dictionary needs to contain these keys and values:

    • 1) NSPrivacyCollectedDataType: [string]
      The type of data your app or third-party SDK collects. Choose the type value from this list.

    • 2) NSPrivacyCollectedDataTypeLinked: true or false
      Indicates whether your app or third-party SDK links this data type to the user’s identity.

    • 3) NSPrivacyCollectedDataTypeTracking: true or false
      Indicates whether your app or third-party SDK uses this data type to track.

    • 4) NSPrivacyCollectedDataTypePurposes: [string]
      The list of the reasons your app or third-party SDK collects the data. Choose values from this list.

      • NSPrivacyCollectedDataTypePurposeThirdPartyAdvertising
      • NSPrivacyCollectedDataTypePurposeDeveloperAdvertising
      • NSPrivacyCollectedDataTypePurposeAnalytics
      • NSPrivacyCollectedDataTypePurposeProductPersonalization
      • NSPrivacyCollectedDataTypePurposeAppFunctionality
      • NSPrivacyCollectedDataTypePurposeOther

    collected-datatype-purposes

Tracking Domains

If you set NSPrivacyTracking to true then you need to provide at least one internet domain in NSPrivacyTrackingDomains; otherwise, you can provide zero or more domains.

If the user has not granted tracking permission through the App Tracking Transparency framework, iOS 17 automatically blocks connections to tracking domains that have been specified in any privacy manifest included in your app.

In some cases, domains may be used for both tracking and non-tracking functionality. An approach that you or a third-party SDK developer could take is to separate the functionality into different host names.

For example:

  • tracking.example.com
  • non-tracking.example.com

Then, declare tracking.example.com as a tracking domain in the privacy manifest.

Required Reason APIs

Apple gives a list of required reason APIs. Any apps or SDKs accessing an API on this list will need to record a reason for it within the privacy manifest file.

The required reason APIs accesses need to record in the privacy manifest file under the key NSPrivacyAccessedAPITypes.

The value ofNSPrivacyAccessedAPITypes is an array of dictionaries that describe the types of required reasons APIs accessed by your app or third-party SDK.

Each dictionary needs to contain these keys and values:

Privacy Manifest File Example

The following is an example of PrivacyInfo.xcprivacy file.

PrivacyInfo

xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>NSPrivacyAccessedAPITypes</key>
	<array>
		<dict>
			<key>NSPrivacyAccessedAPIType</key>
			<string>NSPrivacyAccessedAPICategoryDiskSpace</string>
			<key>NSPrivacyAccessedAPITypeReasons</key>
			<array>
				<string>E174.1</string>
			</array>
		</dict>
		<dict>
			<key>NSPrivacyAccessedAPITypeReasons</key>
			<array>
				<string>35F9.1</string>
			</array>
			<key>NSPrivacyAccessedAPIType</key>
			<string>NSPrivacyAccessedAPICategorySystemBootTime</string>
		</dict>
		<dict>
			<key>NSPrivacyAccessedAPIType</key>
			<string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
			<key>NSPrivacyAccessedAPITypeReasons</key>
			<array>
				<string>DDA9.1</string>
			</array>
		</dict>
	</array>
	<key>NSPrivacyTrackingDomains</key>
	<array>
		<string>tracking.apnspush.com</string>
	</array>
	<key>NSPrivacyTracking</key>
	<true/>
	<key>NSPrivacyCollectedDataTypes</key>
	<array>
		<dict>
			<key>NSPrivacyCollectedDataType</key>
			<string>NSPrivacyCollectedDataTypePreciseLocation</string>
			<key>NSPrivacyCollectedDataTypeLinked</key>
			<false/>
			<key>NSPrivacyCollectedDataTypeTracking</key>
			<false/>
			<key>NSPrivacyCollectedDataTypePurposes</key>
			<array>
				<string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
			</array>
		</dict>
		<dict>
			<key>NSPrivacyCollectedDataType</key>
			<string>NSPrivacyCollectedDataTypeEmailAddress</string>
			<key>NSPrivacyCollectedDataTypeLinked</key>
			<true/>
			<key>NSPrivacyCollectedDataTypeTracking</key>
			<true/>
			<key>NSPrivacyCollectedDataTypePurposes</key>
			<array>
				<string>NSPrivacyCollectedDataTypePurposeAnalytics</string>
				<string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
			</array>
		</dict>
		<dict>
			<key>NSPrivacyCollectedDataType</key>
			<string>NSPrivacyCollectedDataTypeDeviceID</string>
			<key>NSPrivacyCollectedDataTypeLinked</key>
			<false/>
			<key>NSPrivacyCollectedDataTypeTracking</key>
			<true/>
			<key>NSPrivacyCollectedDataTypePurposes</key>
			<array>
				<string>NSPrivacyCollectedDataTypePurposeAnalytics</string>
			</array>
		</dict>
	</array>
</dict>
</plist>

References